4

I'm looking for a method to drop process rights for security reasons. I want to start as user with privileges and end as limited user.

For example I want my web server to run under restricted user by I still want to listen on port 80.

How can I do such things under Windows. Something similar to Unix's:

bind_to_80();
chroot("/some/limited/dir");
setuid(limited_user_id);
setgid(limited_group_id);
chroot("/some/limited/dir");
// drop some more rights
fork(); // now I can't come back

How can I do something similar under Windows?

Edit: Of course I understand that Windows does not have fork or chroot, but I'm looking for dropping various rights, especially user - best practices.

Artyom
  • 31,019
  • 21
  • 127
  • 215
  • Did you try just running as the unprivileged user? I am setting up a rest api server under windows for the first time. I used the service management console to configure the service to run as a non-admin user. It still binds and listens on port 80 with no problem. – Aryeh Leib Taurog Mar 03 '16 at 19:05

1 Answers1

4

Take a look at Mark Russinovich's description of stripping privileges under Windows using CreateRestrictedToken and CreateProcessAsUser. As he explains, this isn't bulletproof since the account under which the process is running still retains its privileges.

And of course, his PsExec sysinternals utility helps you strip away at least Administrator privileges, without requiring coding.

For an existing process, it seems AdjustToken and AdjustTokenGroup permit manipulation (the former apparently requires XPSP2 or higher), but require privileges themselves... it might be possible to commit privilege seppuku this way, but I haven't tried them: they might barf on manipulating privileges of the current process.

Pontus Gagge
  • 17,166
  • 1
  • 38
  • 51
  • Is there possible to do it without starting other process? – Artyom Oct 19 '10 at 10:03
  • I was wrong: some manipulation is possible. Edited to add. Not sure about reflective use on the running process. There's no substitute for trying! – Pontus Gagge Oct 19 '10 at 10:24
  • Updated link to Russinvich's blog post https://techcommunity.microsoft.com/t5/windows-blog-archive/running-as-limited-user-the-easy-way/ba-p/723506 May not be *entirely* up to date! – Pontus Gagge Dec 15 '22 at 13:15